Continuous authentication using an in-band or out-of-band side channel
First Claim
1. Apparatus for re-authenticating a user of a data connection, the data connection comprising a primary channel and a side channel, the apparatus comprising:
- means for sending and receiving to a) send a request for identification to the user and receive an identifier from the user and b) send a plurality of challenges to and receive a plurality of responses from the user on the side channel, where each one of the plurality of responses corresponds to a respective one of the plurality of challenges; and
means for verifying each one of the plurality of responses as a function of each one of the respective plurality of challenges to provide an output representative of the verification of each one of the plurality of responses;
wherein the means for verifying encrypts each one of the plurality of challenges, where the encryption is a function of a data encryption key that is selected as a function of the identifier of the user and wherein the means for verifying compares each one of the plurality of responses with each respective one of the plurality of encrypted challenges to provide the output representative of verification, whereby if there is a mismatch between a respective one of the plurality of encrypted challenges and the one of the plurality of responses the data connection is interrupted.
10 Assignments
0 Petitions
Accused Products
Abstract
A re-authentication procedure between the modems of a public switched telephone network (PSTN) data connection, which is between a computer facility and a user, provides a secure method for protecting the computer facility against an active wire tap, or spoofing, by an intruder. In particular, the user'"'"'s modem and the computer'"'"'s modem perform a re-authentication procedure throughout the duration of the data connection. This re-authentication procedure is transparently performed on a side channel of the data connection. This side channel can either be an in-band channel or an out-of-band channel. The re-authentication procedure comprises an exchange of encrypted information between the two modems. If one of the modems detects the presence of an active wire tap, that modem simply interrupts the data connection.
337 Citations
30 Claims
-
1. Apparatus for re-authenticating a user of a data connection, the data connection comprising a primary channel and a side channel, the apparatus comprising:
-
means for sending and receiving to a) send a request for identification to the user and receive an identifier from the user and b) send a plurality of challenges to and receive a plurality of responses from the user on the side channel, where each one of the plurality of responses corresponds to a respective one of the plurality of challenges; and means for verifying each one of the plurality of responses as a function of each one of the respective plurality of challenges to provide an output representative of the verification of each one of the plurality of responses; wherein the means for verifying encrypts each one of the plurality of challenges, where the encryption is a function of a data encryption key that is selected as a function of the identifier of the user and wherein the means for verifying compares each one of the plurality of responses with each respective one of the plurality of encrypted challenges to provide the output representative of verification, whereby if there is a mismatch between a respective one of the plurality of encrypted challenges and the one of the plurality of responses the data connection is interrupted. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. Data communications equipment apparatus for re-authenticating a user of a data connection, the data communications equipment apparatus comprising:
-
means for sending and receiving to a) send a request for identification to a second data communications equipment apparatus and receive an identifier from the second data communications equipment apparatus and b) send a plurality of challenges to and receive a plurality of responses from the second data communication equipment apparatus of the user, where each one of the plurality of responses corresponds to a respective one of the plurality of challenges; and means for verifying each one of the plurality of responses as a function of each one of the respective plurality of challenges to provide an output representative of the verification of each one of the plurality of responses; wherein the means for verifying encrypts each one of the plurality of challenges, where the encryption is a function of a data encryption key that is selected as a function of the identifier of the second communications equipment apparatus and wherein the means for verifying compares each one of the plurality of responses with each respective one of the plurality of encrypted challenges to provide the output representative of verification, whereby if there is a mismatch between a respective one of the plurality of encrypted challenges and the one of the plurality of responses the data connection is interrupted. - View Dependent Claims (10, 11, 12)
-
-
13. A method for re-authenticating a user of a data connection, the data connection comprising a primary channel and a side channel, the method comprising the steps of:
-
sending a request for identification to the user and receiving an identifier from the user in response thereto; sending a plurality of challenges to and receiving a plurality of responses from the user on the side channel, where each one of the plurality of responses corresponds to a respective one of the plurality of challenges; and verifying each one of the plurality of responses as a function of each one of the respective plurality of challenges to provide an output representative of the verification of each one of the plurality of responses; wherein the step of verifying encrypts each one of the plurality of challenges, where the encryption is a function of a data encryption key that is selected as a function of the identifier of the user and wherein the step of verifying compares each one of the plurality of responses with each respective one of the plurality of encrypted challenges to provide the output representative of verification, whereby if there is a mismatch between a respective one of the plurality of encrypted challenges and the one of the plurality of responses the data connection is interrupted. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
-
-
21. A method for re-authenticating a user of a data connection for use in a first data communications equipment apparatus, the data connection comprising the first data communications equipment apparatus and a second data communication equipment apparatus of the user, the method comprising the steps of:
-
a) sending a request for identification to the second data communications equipment apparatus and receiving an identifier from the second data communications equipment apparatus; b) sending a plurality of challenges to and receiving a plurality of responses from the second data communication equipment apparatus, where each one of the plurality of responses corresponds to a respective one of the plurality of challenges; and c) verifying each one of the plurality of responses as a function of each one of the respective plurality of challenges to provide an output representative of the verification of each one of the plurality of responses wherein the verifying step includes; encrypting each one of the plurality of challenges, where the encryption is a function of a data encryption key that is selected as a function of the identifier of the second communications equipment apparatus; and comparing each one of the plurality of responses with each respective one of the plurality of encrypted challenges to provide the output representative of verification, whereby if there is a mismatch between a respective one of the plurality of encrypted challenges and the one of the plurality of responses the data connection is interrupted. - View Dependent Claims (22, 23, 24)
-
-
25. A method for re-authenticating a user of a data connection, the data connection comprising a first data communications equipment apparatus and a second data communications equipment apparatus, the method comprising the steps of:
-
a) storing in the first data communications equipment apparatus a key list comprising a plurality of identification numbers, each identification number associated with a data encryption key; b) receiving in the first data communications equipment apparatus an identification number from the second data communications equipment apparatus; c) retrieving from the key list the data encryption key associated with the identification number received from the second data communications equipment apparatus; d) sending a challenge from the first data communications equipment apparatus to the second data communications equipment apparatus, the challenge comprising a number; e) receiving in the first data communications equipment apparatus a response from the second data communications equipment apparatus, the response comprising a number; and f) processing the response from the second data communications equipment apparatus by encrypting the challenge as a function of the retrieved data encryption key to provide an encrypted challenge; and g) comparing the response with the encrypted challenge and repeating steps d) through g) if the response is equal to the encrypted challenge and interrupting the data connection if the response is not equal to the encrypted challenge. - View Dependent Claims (26, 27, 28, 29, 30)
-
Specification